RE: Display name attribute

[David Chadwick <d.w.chadwick@iti.salford.ac.uk>]

From:           	"BENNETT,JEREMY \(HP-PaloAlto,ex1\)" <jeremy_bennett@am.exch.hp.com>

> It is unfortunate that the two both use the phrase 'Distinguished Name.'
> This implies to people that they must be the same. General purpose of each
> is even similar, provide a unique name for every one in the namespace.
> When you look further, though, you see that the needs are different.
> 
> The X.509 DN is a collection of attributes that represent the holder's
> verified identity. Each attribute has a meaning in the name as well as the
> identity. 

I believe this is the old way of looking at it. With v3 certificates, the 
DN in the cert can still equate to the directory DN (indeed there are 
good reasons why this should be the case, as this securely binds 
the certificate to the repository and stops switching of certs in 
directory entries without people knowing it). Then the General 
Names extension can hold other attributes that help you identify the 
person, if the DN on its own is insufficient. This is why we put the 
email address in the extension and NOT in the DN, as you have 
done in your example below.

>For example consider my two DNs:
> 
> Cert: CN=Jeremy F Bennett + E=jeremy_bennett@hp.com,O=Hewlett-Packard
> Company,C=US,OU=Employees,O=hp.com 

This is a rather long and convoluted DN. You could extract the email 
address and company name, put that in the General Names 
extension, and then the DN would again equate to the LDAP DN. As 
I said above, there is a good security reason for doing this.

>LDAP: emailaddress=jeremy_bennett@hp.com,ou=Employees,o=hp.com
> 

> Given my perspective, as above, of not having CN in the directory DN at
> all. I agree with the proposal for a single-valued attribute representing
> what should be used to display the entry in short list boxes.

given that jeremy_bennett is unique throughout hp.com, otherwise 
the email would not work, and assuming everyone has an email 
address, then cn=jeremy bennett would be just as unique and could 
be used in the DN. THis would mean that a display name is not 
needed.

>I don't
> think we should assume that the displayName value would be duplicated in
> the set of CNs, though. 

If display name is unique, then it duplicates the functionality of 
common name, does it not? The only time I see display name of 
having value, is when meaningful common names cannot be unique, 
so cannot be used as DNs. We therefore put meaningless stuff in 
the DN to make it unique, and use display name to view the entry, 
but accept that several entries will have the same display name.

David

>Each directory owner will decide which information
> is useful as a display and use that. At HP I would use a combination of
> the e-mail address and name, at umich I would have used the uniqname, at a
> small company it might only be name.
> 
> Jeremy
> 
> ----------------------------------------------------------------------
> Jeremy Bennett Security and Directory Engineering Infrastructure Portfolio
> Team Business Infrastructure Services (E:BIS) Hewlett-Packard Company
> 


***************************************************

David Chadwick
IT Institute, University of Salford, Salford M5 4WT
Tel +44 161 295 5351  Fax +44 161 745 8169
*NEW* Mobile +44 790 167 0359 *NEW*
Email D.W.Chadwick@iti.salford.ac.uk
Home Page  http://www.salford.ac.uk/its024/chadwick.htm
Understanding X.500  http://www.salford.ac.uk/its024/X500.htm
X.500/LDAP Seminars http://www.salford.ac.uk/its024/seminars.htm
Entrust key validation string MLJ9-DU5T-HV8J

***************************************************